I've been reading about the BREACH attack and, despites that is an attack that involves a web application in a server level too, I was wondering if there's something to block these kind of attacks in Rails.
I've found breach-mitigation-rails that they say is not a bullet-proof solution, just to mitigate an attack in someways. Something else around there?
The presenters of BREACH have put up a website with further details. The listed mitigations, ordered by effectiveness, are:
HTTP compression can fairly easily be disabled at the server, at the expense of efficiency.
The breach-mitigation-rails gem addresses points #4 and #6. It is likely to break caching and increase page size.
Another interesting fix works on point #4, with none of the negative impacts on efficiency, but it does require javascript (which can help cut down on spam submissions, anyway).
An official fix is also being discussed.
You may also find this non-rails-specific question interesting - https://security.stackexchange.com/questions/39925/breach-a-new-attack-against-http-what-can-be-done.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With